-
Notifications
You must be signed in to change notification settings - Fork 2
Protocol
This is an attempt to reverse engineer the protocol that is used by the Jablotron 6x alarm to communicate over the JA-80T serial cable with the ComLink software.
| baud rate | 9600 |
|---|---|
| data bits | 8 |
| stop bits | 1 |
| parity | None |
| flow control | None |
| offset | size | description |
|---|---|---|
| 00 | 1 byte | Record type |
| .. | variable | payload |
| -2 | 1 byte | some kind of checksu |
| -1 | 1 byte | 0xFF - indicates end of message |
List of known record types
| Record type | description |
|---|---|
| 80 - 8f | key pressed |
| a0 - af | Audio/Beeps |
| b0 - bf | Internal commands |
| e0 - e2 | General status (send periodically) |
| e3 | Service event |
| e4 | User event |
| e5 | Alarm settings/time ??? |
| e6 | Alarm settings (individual checkboxes) |
| e7 | Some other event (send periodically) |
| e8 | Some different event |
| e9 | Sensor seen motion in service mode |
| ec | Settings from GSM communicator |
| fe | ??? |
record types 80 are being send by the switchboard to echo the pressed keys, as well these codes could be send over serial line to switchboard to emulate the key presses (in the input mode the 0xFF terminator is omitted)
| offset | size | description |
|---|---|---|
| 00 | 1 byte | Key being pressed |
| 01 | 1 byte | 0xFF - indicates end of message |
this is the mapping of the keypad keys to their serial codes, special keys like with the pictograms are emulated as e.g. F1, F2 ... etc. (see the manual) The serial codes 0x8A - 0x8D do get accepted by the switchboard and are confirmed by beeps but do not do anything.
| Code | Key |
|---|---|
| 0x80 | 0 |
| 0x81 | 1 |
| 0x82 | 2 |
| 0x83 | 3 |
| 0x84 | 4 |
| 0x85 | 5 |
| 0x86 | 6 |
| 0x87 | 7 |
| 0x88 | 8 |
| 0x89 | 9 |
| 0x8E | N |
| 0x8F | F |
record types a0 - aa are likely requests for peripherials to emit various kinds of beeps.
| offset | size | description |
|---|---|---|
| 00 | 1 byte | Beep type |
| 01 | 1 byte | 0xFF - indicates end of message |
there are following types of audio beeps spotted so far:
| Code | Description |
|---|---|
| 0xa0 | single short beep - (e.g. when key gets pressed) |
| 0xa1 | single long beep - (e.g. when entering service mode) |
| 0xa2 | two long beeps - (e.g. when disarmed) |
| 0xa4 | 4 short beeps (e.g. when N gets pressed) |
| 0xa8 | infinite beeping (e.g. after being armed) |
| 0xaa | seen when arming/disarming |
b0 - bf seems to be internal commands that various periferials use to request data from other periferials. You may send these codes without the trailing 0xff to dispatch the request yourself and the command will be echoed back (with trailing 0xff)
| offset | size | description |
|---|---|---|
| 00 | 1 byte | Comman |
| 01 | 1 byte | 0xFF - indicates end of message |
commands seen so far:
| Mode | Description |
|---|---|
| 0xb1 | responds with e3 and e7 events 4d 1b |
| 0xb2 | responds with e3 and e7 ... 05 b1 and fires tamper alarm :-( |
| 0xb3 | responds with e3 and e7 16 b1 |
| 0xb4 | ??? - end of response / confirmation ? |
| 0xb5 | list of e4 events from switch board |
| 0xb6 | ??? - (does nothing when send) |
| 0xb7 | ??? - seen when switching to service mode (does nothing when send) |
| 0xb8 | ??? - seen when switching to user mode (does nothing when send) |
| 0xb9 | responds with e8 10 |
| 0xba | responds with e7 event 48 1b (last message in the log ?) |
| 0xbb | responds with e3 and e7 .. 53 1b |
| 0xbc | responds with e3 and e7 .. 54 1b |
| 0xbd | ??? - (does nothing when send) |
| 0xbe | ??? - (does nothing when send) |
| 0xbf | responds with e4 17 04 19 56 46 1b 5f ff |
Record type e0 is general status, it is send periodically every second or so by the alarm. When the arming is delayed the e0 events get replaced by e1 events and when the delay is about to expire with e2 events. Once fully armed they go back to e0.
| offset | size | description |
|---|---|---|
| 00 | 1 byte | e0 - general status |
| 01 | 1 byte | mode |
| 02 | 1 byte | binary status of leds ??? |
| 03 | 1 byte | content of display ??? |
| 04 | 1 byte | strength of GSM signal/battery?? |
| 05 | 1 byte | always zero in my case |
| 06 | 1 byte | checksum |
| 07 | 1 byte | 0xFF - indicates end of message |
Mode:
| Value | Mode |
|---|---|
| 0x00 | service mode |
| 0x20 | user mode |
| 0x40 | disarmed |
| 0x70 | armed B ? |
Led status:
| Value | Activates LED |
|---|---|
| 0x01 | Power |
| 0x02 | Alarm |
| 0x04 | Tamper |
| 0x07 | Malfunction |
| 0x10 | Battery ? |
| 0x20 | Armed |
| 0x40 | Wireless communication |
| 0x80 | ??? |
Display:
| Value | Content of display |
|---|---|
| 0x01 | 1 |
| 0x02 | 2 |
| 0x03 | 3 |
| 0x04 | 4 |
| 0x05 | 5 |
| 0x06 | 6 |
| 0x07 | 7 |
| 0x08 | 8 |
| 0x09 | 9 |
| 0x0A | 10 |
| 0x0B | 11 |
| 0x0C | 12 |
| 0x0D | 13 |
| 0x0E | 14 |
| 0x0F | 15 |
| 0x10 | 16 |
| 0x11 | A |
| 0x13 | C |
| 0x14 | d |
| 0x17 | U |
| 0x1a | P |
| 0x1c | L |
| 0x1d | J |
| 0x21 | c1 |
| 0x22 | c2 |
| 0x23 | c3 |
| 0x24 | c4 |
| 0x25 | c5 |
| 0x26 | c6 |
| 0x27 | c7 |
| 0x28 | c8 |
| 0x59 | Empty display |
| 0x5b | symbol "-" |
| 0x5f | two vertical bars |
Examples of e0 messages:
| message | description |
|---|---|
| e0 40 01 59 75 00 3d ff | in normal mode nothing on display |
| e0 40 01 5b 75 00 06 ff | after pressin F on keypad |
| e0 40 01 5b 75 00 06 ff | after pressing 5 on keypad, display shows symbol '-' |
| e0 20 01 09 75 00 38 ff | user mode |
| e0 20 01 17 75 00 07 ff | user mode |
| e0 20 03 02 75 00 34 ff | user mode, sensor 1 seen motion |
| e0 20 03 01 75 00 43 ff | user mode, sensor 2 seen motion |
| e0 00 01 1a 75 00 57 ff | service mode |
| e0 00 03 02 75 00 11 ff | service mode, sensor 2 seen motion |
| e0 00 01 1a 7f 00 15 ff | service mode, happens sometimes |
| e0 73 21 5f 76 00 53 ff | arming B mode (display shows 2 vertical bars) |
| e0 73 21 5f 75 00 2d ff | arming B mode |
| e0 73 21 5f 72 00 58 ff | arming B mode |
| e0 73 21 5f 75 00 2d ff | arming B mode |
| e0 41 11 59 75 00 76 ff | fully armed A + B |
| e1 51 21 59 75 00 37 ff | delayed leave |
| e2 51 21 59 75 00 26 ff | delay is about to expire |
| e2 44 05 14 75 02 1f ff | tamper alarm, digital bus ;-) |
Record type e3 is probably some time stamped service event from the alarm. It often happens that the same event is send as e3 and as well as e7 right away.
| offset | size | description |
|---|---|---|
| 00 | 1 byte | e3 - service event |
| 01 | 1 byte | day (BCD encoded) |
| 02 | 1 byte | month (BCD encoded) |
| 03 | 1 byte | hour (BCD encoded) |
| 04 | 1 byte | minute (BCD encoded) |
| 05 | 1 byte | Event type |
| 06 | 1 byte | Event source |
| 07 | 1 byte | checksum |
| 08 | 1 byte | 0xFF - indicates end of message |
Examples of event types / event source
| Event type | Message |
|---|---|
| 0x05 | Tamper alarm |
| 0x08 | system armed |
| 0x09 | system disarmed |
| 0x0e | Exited programming mode ? |
| 0x16 | ??? |
| 0x1a | ??? |
| 0x41 | service mode started |
| 0x42 | service mode ended |
| 0x44 | message send to number 1 |
| 0x46 | message send to number 2 |
| 0x48 | message send to number 3 |
| 0x4d | ??? |
| 0x4e | ??? |
| 0x50 | all tamper sensors OK |
| 0x53 | ??? |
| 0x54 | ??? |
| code | Event source |
|---|---|
| 0x00 | Switchboard, control pane |
| 0x1c | Digital bus / Serial Port |
| 0x1b | Phone line |
| 0x21 | Wired sensor 1 |
| 0x22 | Wired sensor 2 |
User event stored in memmory. Same format as e3. List of all user events stored in system could be requested by b5
Unknown event. Example: e5 04 11 17 07 71 ff (received on 12.10.2018 0:12)
Configuration of the switchboard.
Example:
e6 03 01 01 4d ff - 1 chkbx
e6 03 02 01 33 ff - 2 chkbx
e6 03 03 01 19 ff - etc
e6 03 04 00 2a ff
e6 03 05 01 46 ff
....
e6 03 09 00 1d ff
e6 02 05 00 4c ff
e6 02 06 00 32 ff
e6 02 07 00 18 ff
e6 02 08 01 3d ff
Some other timestamped event often exactly repeats the content of previous e3 event. e7 event could be requested by ba.
some simple timeless status event.
Examples:
e8 0c 64 ff
e8 0b 53 ff - when switched to user mode
e8 0d 22 ff - when setting time
e8 0e 4b ff - when disarming section B
e8 0e 4b ff - when armed + delay
e8 0e 4b ff - when switched to service mode
these events are seen when in service mode and testing sensors.
| offset | size | description |
|---|---|---|
| 00 | 1 byte | e9 - service event ? |
| 01 | 1 byte | Event type |
| 02 | 1 byte | Event source |
| 03 | 1 byte | RF signal ? (all zeros for me) |
| 04 | 1 byte | checksum |
| 05 | 1 byte | 0xFF - indicates end of message |
Event type
(these are in fact the codes being send to PCO, so chances are they will match the internal event types)
| code | Event |
|---|---|
| 0x01 | alarm in immediate zone |
| 0x02 | alarm in delayed zone |
| 0x03 | fire alarm |
| 0x04 | silent alarm |
| 0x05 | alarm - num attempts exceeded |
| 0x06 | alarm after power on |
| 0x07 | tamper alarm |
| 0x08 | tamper recovered |
| 0x09 | alarm timed out |
| 0x0A | alarm canceled by user |
| 0x0B | armed |
| 0x0C | disarmed |
| 0x0D | armed partially (home) |
| 0x0E | armed without code |
| 0x0F | external communication failure |
| 0x10 | external communication recovered |
| 0x11 | malfunction |
| 0x12 | malfunction recovered |
| 0x13 | AC disconnected for longer than 30 min |
| 0x14 | AC disconnected |
| 0x15 | AC recovered |
| 0x16 | Battery depleted |
| 0x17 | Battery OK |
| 0x18 | Service mode started |
| 0x19 | Service mode ended |
| 0x1A | Remote access started |
| 0x1B | Remote access ended |
| 0x1C | VF receiver jamming |
| 0x1D | internal communication failure |
| 0x1E | internal communication recovery |
| 0x1F | test transmission |
these events are used by the GSM communicator to dump / set it's configuration. If you are in service mode you may send these messages (need to contain valid checksum and trailing 0xFF) and talk to the GSM communicator.
| offset | size | description |
|---|---|---|
| 00 | 1 byte | ec - GSM configuration/text |
| 01 | 1 byte | GSM message type ? |
| 02 | 1 byte | settings/message ID ? |
| 03 | variable | variable payload |
| -2 | 1 byte | checksum |
| -1 | 1 byte | 0xFF - indicates end of message |
GSM message type:
seen ID's
| id | description |
|---|---|
| 0x00 | terminates the list of GSM configuration (ec 00 00 12 ff) |
| 0x01 | configuration containing zero terminated strings (e.g. phone numbers) |
| 0x02 | seen when dumping GSM config (single value) |
| 0x03 | binary ? configuration for 40 checkboxes ? |
| 0x2X | configurable texts starting from ID X*100 |
| 0x40 | used to request configuration dumps |
Format of the 0x2X text message type
| offset | size | description |
|---|---|---|
| 00 | 1 byte | ec - GSM message |
| 01 | 4 bits | 0x2 - GSM text |
| 01 | 4 bits | base ID |
| 02 | 1 byte | message ID (+ base ID * 100) |
| 03 | 3 bytes | string lenght |
| X | 3 bytes | Character (e.g. 20 00 00 = space) |
| -5 | 1 byte | 0x00 |
| -4 | 1 byte | 0x00 |
| -2 | 1 byte | checksum |
| -1 | 1 byte | 0xFF - indicates end of message |
Known commands you may send to GSM communicatior:
(you have to be in programming mode)
| command | description |
|---|---|
| ec 40 05 19 ff | Dump customizable texts from GSM communicator |
| ec 40 07 36 ff | Dump configuration of the GSM communicator |
unknown, seen when exiting user mode in format fe ff